The Portnox Cloud portal does not list the broker |
- The broker never sent any data
- The broker hasn’t sent any data for more than 30 minutes
- The broker directory cluster was deleted
|
- Verify that the broker is installed
- Verify that the broker service is running: Where to find the AD Broker service
- Check if the cloud servers are reachable from the broker: How to check if the AD Broker connects to the cloud
- Reinstall the broker to configure it again (in case the broker directory cluster was deleted)
- Check the broker logs: Where to find the AD Broker logs and status
|
Broker status: Dormant |
The broker hasn’t sent any data or logs to the cloud for more than 30 minutes |
- Verify that the broker service is running: Where to find the AD Broker service
- Check if the cloud servers are reachable from the broker: How to check if the AD Broker connects to the cloud
- Check the broker logs: Where to find the AD Broker logs and status
|
Broker status: Not operational |
There are issues with the access to the directory cluster. |
- Check the directory cluster settings in Portnox Cloud:
- Check if the local LDAP server is reachable from the broker: How to check if the AD Broker connects to the LDAP server
- Check the broker logs: Where to find the AD Broker logs and status
|
Broker status: Wrong LDAP credentials |
The LDAP credentials are missing or wrong. This might happen if someone changed the admin credentials on the
LDAP server, or if someone changed the LDAP server address in Portnox Cloud. |
- Reinstall the broker to configure it again (in case of a change in the domain controller or the LDAP
server)
- Check the directory cluster settings in Portnox Cloud:
- Check if the local LDAP server is reachable from the broker: How to check if the AD Broker connects to the LDAP server
- Check the clock on the user device and the domain controller. If they are out of synchronization, for
example, if one of them is not automatically updated using a time server, authentication problems may
occur.
- If you want to use NTLMv2 authentication only and block NTLMv1 for security reasons, make sure that the
user account for the Portnox Active Directory Broker, which is used to connect to the domain controller,
is a member of the Domain Admins security group, and has the following minimum permissions: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Otherwise, the Directory
Broker will be unable to verify the password hash, and all NTLMv2 authentication attempts will
fail.
- Check the broker logs: Where to find the AD Broker logs and status
|
Broker status: Misconfigured |
The directory cluster settings are missing or wrong. This is not a common status, such an issue can happen
due to having old directory clusters with wrong settings, or if the cluster was deleted. |
- Check the directory cluster settings in Portnox Cloud:
- Check if the local LDAP server is reachable from the broker: How to check if the AD Broker connects to the LDAP server
- Check the broker logs: Where to find the AD Broker logs and status
|
Broker status: Not updated |
The broker is an old version. This can happen due to communication issues or if a new version of broker was
published but not installed. |
- Check if the cloud servers are reachable from the broker: How to check if the AD Broker connects to the cloud
- Check if there is enough space on the disk of the Windows machine to install the new broker
version.
- Check the broker logs: Where to find the AD Broker logs and status
- Install the new broker version manually
|
Broker status: Unreachable |
There are issues with establishing a relay connection. |
- Check if the cloud servers are reachable from the broker: How to check if the AD Broker connects to the cloud
- Check if the local LDAP server is reachable from the broker: How to check if the AD Broker connects to the LDAP server
- Check the broker logs: Where to find the AD Broker logs and status
|
Broker status: Active |
The Active Directory Broker seems to work properly, but there are still issues. |
- Check if the cloud servers are reachable from the broker: How to check if the AD Broker connects to the cloud
- Check if the local LDAP server is reachable from the broker: How to check if the AD Broker connects to the LDAP server
- Check the broker logs: Where to find the AD Broker logs and status
|
SSL (LDAPS) communication not working |
The domain controllers were defined using IP addresses. |
- In Portnox Cloud, go to and in Domain Controllers (DC), define the domain controllers
using FQDNs, not IP addresses
- Use a tool such as Ldp to validate that the domain controller is configured
correctly with LDAPS and the certificate.
|
Multiple brokers configured but only one in Portnox Cloud |
The Windows virtual machines were cloned and have the same system GUID. Check the GUID in the following
registry key: |
Create the Windows virtual machine for each broker from scratch, not by using the clone option. |
AD/LDAP groups are not populated in Portnox Cloud. There is a log entry that says: Fail to
access registry: Value cannot be null. |
The Windows registry was damaged during installation. |
Reinstall the broker. |